IBM QRadar

DSM Configuration GuideApril 2020

IBM

Note

Before using this information and the product that it supports, read the information in “Notices” onpage 1201.

Product information

This document applies to IBM® QRadar® Security Intelligence Platform V7.2.1 and subsequent releases unlesssuperseded by an updated version of this document.© Copyright International Business Machines Corporation 2005, 2020.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract withIBM Corp.

Contents

About this DSM Configuration Guide.................................................................. xxix

Part 1. QRadar DSM installation and log source management..................................1

Chapter 1. Event collection from third-party devices.................................................................................3Adding a DSM..........................................................................................................................................4

Chapter 2. Introduction to log source management...................................................................................5Adding a log source................................................................................................................................ 5Adding a log source by using the Log Sources icon...............................................................................7Adding bulk log sources......................................................................................................................... 8Adding bulk log sources by using the Log Sources icon........................................................................9Editing bulk log sources....................................................................................................................... 10Editing bulk log sources by using the Log Sources icon......................................................................10Adding a log source parsing order....................................................................................................... 11Testing log sources.............................................................................................................................. 11

Protocols available for testing........................................................................................................12

Chapter 3. Log source extensions............................................................................................................. 13Building a Universal DSM..................................................................................................................... 13Building a Universal DSM by using the Log Sources icon....................................................................14Exporting the logs ................................................................................................................................14Examples of log source extensions on QRadar forum ........................................................................16Patterns in log source extension documents...................................................................................... 16Match groups ....................................................................................................................................... 17

Matcher (matcher).......................................................................................................................... 18JSON matcher (json-matcher)....................................................................................................... 22LEEF matcher (leef-matcher)......................................................................................................... 26CEF matcher (cef-matcher)............................................................................................................ 27Multi-event modifier (event-match-multiple)........................................................................27Single-event modifier (event-match-single).......................................................................... 28

Extension document template.............................................................................................................29Creating a log source extensions document to get data into QRadar................................................ 31

Common regular expressions ........................................................................................................32Building regular expression patterns ............................................................................................ 33Uploading extension documents to QRadar.................................................................................. 35

Parsing issues and examples...............................................................................................................35Parsing a CSV log format ................................................................................................................38

Chapter 4. Manage log source extensions................................................................................................ 39Adding a log source extension............................................................................................................. 39

Chapter 5. Threat use cases by log source type....................................................................................... 41

Chapter 6. Troubleshooting DSMs.............................................................................................................53

Part 2. Protocols..................................................................................................55

Chapter 7. Undocumented Protocols........................................................................................................57Configuring an undocumented protocol.............................................................................................. 57

iii

Chapter 8. Protocol configuration options................................................................................................ 59Akamai Kona REST API protocol configuration options......................................................................59Amazon AWS S3 REST API protocol configuration options................................................................ 60Amazon Web Services protocol configuration options....................................................................... 65Apache Kafka protocol configuration options..................................................................................... 73

Configuring Apache Kafka to enable Client Authentication.......................................................... 76Configuring Apache Kafka to enable SASL Authentication............................................................79Troubleshooting Apache Kafka ..................................................................................................... 81

Blue Coat Web Security Service REST API protocol configuration options........................................81Centrify Redrock REST API protocol configuration options................................................................82Cisco Firepower eStreamer protocol configuration options............................................................... 83Cisco NSEL protocol configuration options......................................................................................... 84EMC VMware protocol configuration options...................................................................................... 85Forwarded protocol configuration options.......................................................................................... 86Google Cloud Pub/Sub protocol configuration options.......................................................................86

Configuring Google Cloud Pub/Sub to integrate with QRadar.......................................................88Creating a Pub/Sub Topic and Subscription in the Google Cloud Console................................... 88Creating a service account and a service account key in Google Cloud Console to access

the Pub/Sub Subscription..........................................................................................................90Populating a Pub/Sub topic with data............................................................................................ 93Adding a Google Cloud Pub/Sub log source in QRadar................................................................. 94

Google G Suite Activity Reports REST API protocol options...............................................................95HTTP Receiver protocol configuration options....................................................................................96IBM BigFix SOAP protocol configuration options................................................................................96IBM Cloud Identity Event Service protocol configuration options..................................................... 97JDBC protocol configuration options...................................................................................................99JDBC - SiteProtector protocol configuration options........................................................................103Juniper Networks NSM protocol configuration options....................................................................105Juniper Security Binary Log Collector protocol configuration options.............................................105Log File protocol configuration options.............................................................................................106Microsoft Azure Event Hubs protocol configuration options............................................................ 107Microsoft DHCP protocol configuration options................................................................................109Microsoft Exchange protocol configuration options......................................................................... 111Microsoft IIS protocol configuration options.................................................................................... 113Microsoft Security Event Log protocol configuration options...........................................................115

Microsoft Security Event Log over MSRPC Protocol.................................................................... 115MQ protocol configuration options.................................................................................................... 119Okta REST API protocol configuration options................................................................................. 120OPSEC/LEA protocol configuration options...................................................................................... 120Oracle Database Listener protocol configuration options................................................................ 122PCAP Syslog Combination protocol configuration options............................................................... 123SDEE protocol configuration options.................................................................................................125SMB Tail protocol configuration options........................................................................................... 126SNMPv2 protocol configuration options............................................................................................127SNMPv3 protocol configuration options............................................................................................128Seculert Protection REST API protocol configuration options......................................................... 128Sophos Enterprise Console JDBC protocol configuration options................................................... 130Sourcefire Defense Center eStreamer protocol options...................................................................132Syslog Redirect protocol overview.................................................................................................... 132TCP multiline syslog protocol configuration options........................................................................ 133TLS syslog protocol configuration options........................................................................................ 138

Multiple log sources over TLS Syslog...........................................................................................140UDP multiline syslog protocol configuration options........................................................................141VMware vCloud Director protocol configuration options..................................................................144

Part 3. DSMs......................................................................................................145

iv

Chapter 9. 3Com Switch 8800................................................................................................................ 147Configuring your 3COM Switch 8800 ................................................................................................147

Chapter 10. AhnLab Policy Center.......................................................................................................... 149

Chapter 11. Akamai Kona........................................................................................................................151Configure an Akamai Kona log source by using the HTTP Receiver protocol.................................. 151Configuring an Akamai Kona log source by using the Akamai Kona REST API protocol................. 152Configuring Akamai Kona to communicate with QRadar..................................................................154Creating an event map for Akamai Kona events............................................................................... 154Modifying the event map for Akamai Kona........................................................................................155Sample event messages.................................................................................................................... 156

Chapter 12. Amazon AWS CloudTrail......................................................................................................159Configuring an Amazon AWS CloudTrail log source by using the Amazon AWS S3 REST API

protocol......................................................................................................................................... 160Configuring an Amazon AWS CloudTrail log source that uses an S3 bucket with an SQS

queue....................................................................................................................................... 160Configuring an Amazon AWS CloudTrail log source that uses an S3 bucket with a directory

prefix........................................................................................................................................ 172Configuring an Amazon AWS CloudTrail log source by using the Amazon Web Services protocol. 180

Configuring an Amazon AWS CloudTrail log source by using the Amazon Web Servicesprotocol and Kinesis Data Streams.........................................................................................181

Configuring an Amazon AWS CloudTrail log source by using the Amazon Web Servicesprotocol and CloudWatch Logs............................................................................................... 186

Chapter 13. Amazon AWS Security Hub................................................................................................. 193Creating an IAM role for the Lambda function.................................................................................. 197Creating a Lambda function...............................................................................................................198Creating a CloudWatch events rule................................................................................................... 199Configuring the Lambda function...................................................................................................... 200Creating a log group and log stream to retrieve Amazon AWS Security Hub events for QRadar.... 202Creating an Identity and Access (IAM) user in the AWS Management Console when using

Amazon Web Services...................................................................................................................202Amazon AWS Security Hub DSM specifications................................................................................ 203Amazon AWS Security Hub Sample event messages....................................................................... 203

Chapter 14. Amazon GuardDuty............................................................................................................. 205Configuring an Amazon GuardDuty log source by using the Amazon Web Services protocol.........205

Creating an IAM role for the Lambda function.............................................................................209Creating a Lambda function......................................................................................................... 211Creating a CloudWatch events rule..............................................................................................211Configuring the Lambda function................................................................................................. 212

Creating a log group and log stream to retrieve Amazon GuardDuty events for QRadar................ 213Creating an Identity and Access (IAM) user in the AWS Management Console when using

Amazon Web Services...................................................................................................................214Sample event message...................................................................................................................... 214

Chapter 15. Ambiron TrustWave ipAngel ...............................................................................................217

Chapter 16. Amazon VPC Flow Logs....................................................................................................... 219Amazon VPC Flow Logs specifications.............................................................................................. 222Publishing flow logs to an S3 bucket.................................................................................................223Create the SQS queue that is used to receive ObjectCreated notifications..................................... 223Configuring security credentials for your AWS user account............................................................224

Chapter 17. APC UPS...............................................................................................................................225

v

Configuring your APC UPS to forward syslog events.........................................................................226

Chapter 18. Apache HTTP Server............................................................................................................227Configuring Apache HTTP Server with syslog................................................................................... 227Syslog log source parameters for Apache HTTP Server................................................................... 228Configuring Apache HTTP Server with syslog-ng..............................................................................228Syslog log source parameters for Apache HTTP Server................................................................... 229

Chapter 19. Apple Mac OS X................................................................................................................... 231Syslog log source parameters for Apple MAC OS X.......................................................................... 231Configuring syslog on your Apple Mac OS X......................................................................................231

Chapter 20. Application Security DbProtect..........................................................................................235Installing the DbProtect LEEF Relay Module.....................................................................................236Configuring the DbProtect LEEF Relay.............................................................................................. 236Configuring DbProtect alerts............................................................................................................. 237

Chapter 21. Arbor Networks................................................................................................................... 239Arbor Networks Peakflow SP.............................................................................................................239

Supported event types for Arbor Networks Peakflow SP ...........................................................240Configuring a remote syslog in Arbor Networks Peakflow SP.....................................................240Configuring global notifications settings for alerts in Arbor Networks Peakflow SP..................240Configuring alert notification rules in Arbor Networks Peakflow SP...........................................241Syslog log source parameters for Arbor Networks Peakflow SP................................................ 241

Arbor Networks Pravail...................................................................................................................... 242Configuring your Arbor Networks Pravail system to send events to IBM QRadar......................243

Chapter 22. Arpeggio SIFT-IT................................................................................................................ 245Configuring a SIFT-IT agent...............................................................................................................245Syslog log source parameters for Arpeggio SIFT-IT.........................................................................246Additional information....................................................................................................................... 246

Chapter 23. Array Networks SSL VPN.....................................................................................................249Syslog log source parameters for Array Networks SSL VPN.............................................................249

Chapter 24. Aruba Networks...................................................................................................................251Aruba ClearPass Policy Manager....................................................................................................... 251

Configuring Aruba ClearPass Policy Manager to communicate with QRadar............................. 252Aruba Introspect................................................................................................................................ 252

Configuring Aruba Introspect to communicate with QRadar...................................................... 254Aruba Mobility Controllers................................................................................................................. 255

Configuring your Aruba Mobility Controller................................................................................. 255Syslog log source parameters for Aruba Mobility Controllers.....................................................255

Chapter 25. Avaya VPN Gateway........................................................................................................... 257Avaya VPN Gateway DSM integration process..................................................................................257Configuring your Avaya VPN Gateway system for communication with IBM QRadar..................... 258Syslog log source parameters for Avaya VPN Gateway.................................................................... 258

Chapter 26. BalaBit IT Security...............................................................................................................259BalaBit IT Security for Microsoft Windows Events............................................................................259

Configuring the Syslog-ng Agent event source............................................................................259Configuring a syslog destination.................................................................................................. 260Restarting the Syslog-ng Agent service....................................................................................... 261Syslog log source parameters for BalaBit IT Security for Microsoft Windows Events............... 261

BalaBit IT Security for Microsoft ISA or TMG Events........................................................................ 261Configure the BalaBit Syslog-ng Agent........................................................................................262Configuring the BalaBit Syslog-ng Agent file source................................................................... 262

vi

Configuring a BalaBit Syslog-ng Agent syslog destination..........................................................263Filtering the log file for comment lines........................................................................................ 263Configuring a BalaBit Syslog-ng PE Relay....................................................................................264Syslog log source parameters for BalaBit IT Security for Microsoft ISA or TMG Events............265

Chapter 27. Barracuda............................................................................................................................ 267Barracuda Spam & Virus Firewall...................................................................................................... 267

Configuring syslog event forwarding............................................................................................267Syslog log source parameters for Barracuda Spam Firewall...................................................... 267

Barracuda Web Application Firewall................................................................................................. 268Configuring Barracuda Web Application Firewall to send syslog events to QRadar.................. 269Configuring Barracuda Web Application Firewall to send syslog events to QRadar for

devices that do not support LEEF .......................................................................................... 269Barracuda Web Filter......................................................................................................................... 270

Configuring syslog event forwarding............................................................................................271Syslog log source parameters for Barracuda Web Filter.............................................................271

Chapter 28. BeyondTrust PowerBroker..................................................................................................273Syslog log source parameters for BeyondTrust PowerBroker..........................................................273TLS Syslog log source parameters for BeyondTrust PowerBroker...................................................274Configuring BeyondTrust PowerBroker to communicate with QRadar............................................ 274BeyondTrust PowerBroker DSM specifications................................................................................ 276Sample event messages.................................................................................................................... 276

Chapter 29. BlueCat Networks Adonis................................................................................................... 279Supported event types.......................................................................................................................279Event type format...............................................................................................................................279Configuring BlueCat Adonis............................................................................................................... 280Syslog log source parameters for BlueCat Networks Adonis........................................................... 280

Chapter 30. Blue Coat............................................................................................................................. 281Blue Coat SG.......................................................................................................................................281

Creating a custom event format...................................................................................................282Creating a log facility.................................................................................................................... 283Enabling access logging............................................................................................................... 283Configuring Blue Coat SG for FTP uploads...................................................................................284Syslog log source parameters for Blue Coat SG.......................................................................... 284Log File log source parameters for Blue Coat SG........................................................................ 285Configuring Blue Coat SG for syslog.............................................................................................288Creating extra custom format key-value pairs............................................................................ 288

Blue Coat Web Security Service.........................................................................................................288Configuring Blue Coat Web Security Service to communicate with QRadar.............................. 290

Chapter 31. Box....................................................................................................................................... 291Configuring Box to communicate with QRadar................................................................................. 292

Chapter 32. Bridgewater......................................................................................................................... 295Configuring Syslog for your Bridgewater Systems Device................................................................ 295Syslog log source parameters for Bridgewater Systems.................................................................. 295

Chapter 33. Brocade Fabric OS............................................................................................................... 297Configuring syslog for Brocade Fabric OS appliances.......................................................................297

Chapter 34. CA Technologies................................................................................................................. 299CA ACF2..............................................................................................................................................299

Create a log source for near real-time event feed.......................................................................300Log File log source parameter......................................................................................................300Integrate CA ACF2 with IBM QRadar by using audit scripts....................................................... 304

vii

Configuring CA ACF2 that uses audit scripts to integrate with IBM QRadar.............................. 305CA SiteMinder.....................................................................................................................................308

Syslog log source parameters for CA SiteMinder........................................................................ 308Configuring Syslog-ng for CA SiteMinder..................................................................................... 309

CA Top Secret.....................................................................................................................................310Log File log source parameter......................................................................................................311Create a log source for near real-time event feed.......................................................................315Integrate CA Top Secret with IBM QRadar by using audit scripts.............................................. 315Configuring CA Top Secret that uses audit scripts to integrate with IBM QRadar..................... 315

Chapter 35. Carbon Black.......................................................................................................................319Carbon Black...................................................................................................................................... 319

Configuring Carbon Black to communicate with QRadar............................................................ 320Carbon Black Protection.................................................................................................................... 321

Configuring Carbon Black Protection to communicate with QRadar.......................................... 322Carbon Black Bit9 Parity.................................................................................................................... 323

Syslog log source parameters for Carbon Black Bit9 Parity........................................................323Bit9 Security Platform........................................................................................................................323

Configuring Carbon Black Bit9 Security Platform to communicate with QRadar....................... 324

Chapter 36. Centrify................................................................................................................................ 325Centrify Identity Platform.................................................................................................................. 325

Centrify Identity Platform DSM specifications............................................................................ 326Configuring Centrify Identity Platform to communicate with QRadar........................................ 327Sample event message................................................................................................................ 328

Centrify Infrastructure Services........................................................................................................ 328Configuring WinCollect agent to collect event logs from Centrify Infrastructure Services........330Configuring Centrify Infrastructure Services on a UNIX or Linux device to communicate

with QRadar ............................................................................................................................ 331Sample event messages...............................................................................................................332

Chapter 37. Check Point..........................................................................................................................335Check Point.........................................................................................................................................335

Integration of Check Point by using OPSEC.................................................................................335Adding a Check Point Host........................................................................................................... 336Creating an OPSEC Application Object........................................................................................ 336Locating the log source SIC..........................................................................................................337OPSEC/LEA log source parameters for Check Point....................................................................337Edit your OPSEC communications configuration.........................................................................338Changing the default port for OPSEC LEA communication......................................................... 338Configuring OPSEC LEA for unencrypted communications.........................................................339Integration of Check Point Firewall events from external syslog forwarders............................ 340Configuring Check Point to forward LEEF events to QRadar....................................................... 341Sample event messages...............................................................................................................343

Check Point Multi-Domain Management (Provider-1)...................................................................... 344Integrating syslog for Check Point Multi-Domain Management (Provider-1)............................ 344Syslog log source parameters for Check Point Multi-Domain Management (Provider-1)..........345Configuring OPSEC for Check Point Multi-Domain Management (Provider-1) .......................... 345OPSEC/LEA log source parameters for Check Point Multi-Domain Management (Provider-1). 346Configuring Check Point to forward LEEF events to QRadar....................................................... 346

Chapter 38. Cilasoft QJRN/400...............................................................................................................349Configuring Cilasoft QJRN/400..........................................................................................................349Syslog log source parameters for Cilasoft QJRN/400...................................................................... 350

Chapter 39. Cisco ...................................................................................................................................353Cisco ACE Firewall..............................................................................................................................353

Configuring Cisco ACE Firewall.................................................................................................... 353

viii

Syslog log source parameters for Cisco ACE Firewall................................................................. 353Cisco ACS............................................................................................................................................354

Configuring Syslog for Cisco ACS v5.x..........................................................................................354Creating a Remote Log Target......................................................................................................354Configuring global logging categories.......................................................................................... 355Syslog log source parameters for Cisco ACS v5.x....................................................................... 355Configuring Syslog for Cisco ACS v4.x..........................................................................................356Configuring syslog forwarding for Cisco ACS v4.x....................................................................... 356Syslog log source parameters for Cisco ACS v4.x....................................................................... 357UDP Multiline Syslog log source parameters for Cisco ACS........................................................357

Cisco Aironet...................................................................................................................................... 358Syslog log source parameters for Cisco Aironet..........................................................................359

Cisco ASA........................................................................................................................................... 359Integrate Cisco ASA Using Syslog................................................................................................ 359Configuring syslog forwarding......................................................................................................360Syslog log source parameters for Cisco ASA............................................................................... 360Integrate Cisco ASA for NetFlow by using NSEL......................................................................... 361Configuring NetFlow Using NSEL................................................................................................. 361Cisco NSEL log source parameters for Cisco ASA....................................................................... 362

Cisco AMP...........................................................................................................................................363Cisco AMP DSM specifications..................................................................................................... 363Creating a Cisco AMP Client ID and API key for event queues................................................... 364Creating a Cisco AMP event stream............................................................................................. 365Configure a log source for a user to manage the Cisco AMP event stream................................ 366Sample event message................................................................................................................ 367

Cisco CallManager..............................................................................................................................368Configuring syslog forwarding .....................................................................................................368Syslog log source parameters for Cisco CallManager................................................................. 369

Cisco CatOS for Catalyst Switches.....................................................................................................369Configuring syslog ........................................................................................................................369Syslog log source parameters for Cisco CatOS for Catalyst Switches........................................ 370

Cisco Cloud Web Security.................................................................................................................. 370Configuring Cloud Web Security to communicate with QRadar ................................................. 372

Cisco CSA............................................................................................................................................373Configuring syslog for Cisco CSA..................................................................................................373Syslog log source parameters for Cisco CSA............................................................................... 374

Cisco Firepower Management Center............................................................................................... 374Creating Cisco Firepower Management Center 5.x and 6.x certificates.....................................376Importing a Cisco Firepower Management Center certificate in QRadar................................... 378Configure your Cisco Firepower appliance to send intrusion or connection events to

QRadar by using Syslog........................................................................................................... 379Cisco Firepower Management Center log source parameters....................................................380

Cisco FWSM........................................................................................................................................380Configuring Cisco FWSM to forward syslog events......................................................................380Syslog log source parameters for Cisco FWSM........................................................................... 381

Cisco Identity Services Engine.......................................................................................................... 381Configuring a remote logging target in Cisco ISE........................................................................ 384Configuring logging categories in Cisco ISE.................................................................................384

Cisco IDS/IPS..................................................................................................................................... 385SDEE log source parameters for Cisco IDS/IPS.......................................................................... 385

Cisco IOS............................................................................................................................................ 387Configuring Cisco IOS to forward events..................................................................................... 387Syslog log source parameters for Cisco IOS................................................................................388

Cisco IronPort.....................................................................................................................................389Cisco IronPort DSM specifications............................................................................................... 389Configuring Cisco IronPort appliances to communicate with QRadar........................................390Configuring a Cisco IronPort and Cisco ESA log source by using the log file protocol............... 390Configuring a Cisco IronPort and Cisco WSA log source by using the Syslog protocol.............. 393

ix

Sample event messages...............................................................................................................394Cisco Meraki....................................................................................................................................... 394

Cisco Meraki DSM specifications..................................................................................................395Configure Cisco Meraki to communicate with IBM QRadar ....................................................... 396Sample event messages...............................................................................................................396

Cisco NAC........................................................................................................................................... 398Configuring Cisco NAC to forward events.................................................................................... 398Syslog log source parameters for Cisco NAC...............................................................................398

Cisco Nexus........................................................................................................................................ 399Configuring Cisco Nexus to forward events................................................................................. 399Syslog log source parameters for Cisco Nexus............................................................................399

Cisco Pix............................................................................................................................................. 400Configuring Cisco Pix to forward events...................................................................................... 400Syslog log source parameters for Cisco Pix.................................................................................401

Cisco Stealthwatch.............................................................................................................................401Configuring Cisco Stealthwatch to communicate with QRadar.................................................. 402

Cisco Umbrella................................................................................................................................... 403Configure Cisco Umbrella to communicate with QRadar............................................................ 406Cisco Umbrella DSM specifications..............................................................................................406Sample event messages...............................................................................................................406

Cisco VPN 3000 Concentrator .......................................................................................................... 407Syslog log source parameters for Cisco VPN 3000 Concentrator...............................................407

Cisco Wireless LAN Controllers......................................................................................................... 408Configuring syslog for Cisco Wireless LAN Controller................................................................. 408Syslog log source parameters for Cisco Wireless LAN Controllers.............................................409Configuring SNMPv2 for Cisco Wireless LAN Controller..............................................................410Configuring a trap receiver for Cisco Wireless LAN Controller....................................................411SNMPv2 log source parameters for Cisco Wireless LAN Controllers..........................................411

Cisco Wireless Services Module........................................................................................................ 412Configuring Cisco WiSM to forward events.................................................................................. 413Syslog log source parameters for Cisco WiSM.............................................................................414

Chapter 40. Citrix.....................................................................................................................................417Citrix Access Gateway........................................................................................................................417

Syslog log source parameters for Citrix Access Gateway........................................................... 417Citrix NetScaler.................................................................................................................................. 418

Syslog log source parameters for Citrix NetScaler...................................................................... 419

Chapter 41. Cloudera Navigator..............................................................................................................421Configuring Cloudera Navigator to communicate with QRadar........................................................422

Chapter 42. CloudPassage Halo .............................................................................................................423Configuring CloudPassage Halo for communication with QRadar....................................................423Syslog log source parameters for CloudPassage Halo..................................................................... 425Log File log source parameters for CloudPassage Halo....................................................................425

Chapter 43. CloudLock Cloud Security Fabric........................................................................................ 427Configuring CloudLock Cloud Security Fabric to communicate with QRadar...................................428

Chapter 44. Correlog Agent for IBM z/OS...............................................................................................429Configuring your CorreLog Agent system for communication with QRadar.....................................430

Chapter 45. CrowdStrike Falcon Host.....................................................................................................431Configuring CrowdStrike Falcon Host to communicate with QRadar...............................................432

Chapter 46. CRYPTOCard CRYPTO-Shield ............................................................................................435Configuring syslog for CRYPTOCard CRYPTO-Shield ....................................................................... 435Syslog log source parameters for CRYPTOCard CRYPTO-Shield..................................................... 435

x

Chapter 47. CyberArk............................................................................................................................. 437CyberArk Privileged Threat Analytics................................................................................................ 437

Configuring CyberArk Privileged Threat Analytics to communicate with QRadar...................... 438CyberArk Vault....................................................................................................................................438

Configuring syslog for CyberArk Vault..........................................................................................439Syslog log source parameters for CyberArk Vault....................................................................... 439

Chapter 48. CyberGuard Firewall/VPN Appliance..................................................................................441Configuring syslog events.................................................................................................................. 441Syslog log source parameters for CyberGuard................................................................................. 441

Chapter 49. Damballa Failsafe................................................................................................................ 443Configuring syslog for Damballa Failsafe ......................................................................................... 443Syslog log source parameters for Damballa Failsafe........................................................................443

Chapter 50. DG Technology MEAS......................................................................................................... 445Configuring your DG Technology MEAS system for communication with QRadar...........................445

Chapter 51. Digital China Networks (DCN)............................................................................................. 447Configuring a DCN DCS/DCRS Series Switch.....................................................................................447Syslog log source parameters for DCN DCS/DCRS Series switches.................................................448

Chapter 52. Enterprise-IT-Security.com SF-Sherlock........................................................................... 449Configuring Enterprise-IT-Security.com SF-Sherlock to communicate with QRadar..................... 450

Chapter 53. Epic SIEM.............................................................................................................................451Configuring Epic SIEM 2014 to communicate with QRadar............................................................. 452Configuring Epic SIEM 2015 to communicate with QRadar............................................................. 452Configuring Epic SIEM 2017 to communicate with QRadar............................................................. 454

Chapter 54. ESET Remote Administrator............................................................................................... 457Configuring ESET Remote Administrator to communicate with QRadar..........................................458

Chapter 55. Exabeam.............................................................................................................................. 459Configuring Exabeam to communicate with QRadar........................................................................ 459

Chapter 56. Extreme...............................................................................................................................461Extreme 800-Series Switch............................................................................................................... 461

Configuring your Extreme 800-Series Switch..............................................................................461Syslog log source parameters for Extreme 800-Series Switches...............................................461

Extreme Dragon................................................................................................................................. 462Creating a Policy for Syslog ......................................................................................................... 462Syslog log source parameters for Extreme Dragon..................................................................... 464Configure the EMS to forward syslog messages..........................................................................464Configuring syslog-ng Using Extreme Dragon EMS V7.4.0 and later.......................................... 464Configuring syslogd Using Extreme Dragon EMS V7.4.0 and earlier.......................................... 465

Extreme HiGuard Wireless IPS.......................................................................................................... 465Configuring Enterasys HiGuard ................................................................................................... 465Syslog log source parameters for Extreme HiGuard................................................................... 466

Extreme HiPath Wireless Controller..................................................................................................467Configuring your HiPath Wireless Controller............................................................................... 467Syslog log source parameters for Extreme HiPath......................................................................467

Extreme Matrix Router....................................................................................................................... 468Extreme Matrix K/N/S Series Switch................................................................................................. 468Extreme NetSight Automatic Security Manager ...............................................................................469Extreme NAC...................................................................................................................................... 470

Syslog log source parameters for Extreme NAC..........................................................................470

xi

Extreme stackable and stand-alone switches.................................................................................. 471Extreme Networks ExtremeWare...................................................................................................... 472

Syslog log source parameters for Extreme Networks ExtremeWare..........................................472Extreme XSR Security Router............................................................................................................ 473Syslog log source parameters for Extreme XSR Security Router..................................................... 473

Chapter 57. F5 Networks....................................................................................................................... 475F5 Networks BIG-IP AFM.................................................................................................................. 475

Configuring a logging pool............................................................................................................ 475Creating a high-speed log destination......................................................................................... 476Creating a formatted log destination........................................................................................... 476Creating a log publisher................................................................................................................476Creating a logging profile..............................................................................................................477Associating the profile to a virtual server.................................................................................... 477Syslog log source parameters for F5 Networks BIG-IP AFM...................................................... 478

F5 Networks BIG-IP APM.................................................................................................................. 478Configuring Remote Syslog for F5 BIG-IP APM V11.x to V14.x ................................................. 478Configuring a Remote Syslog for F5 BIG-IP APM 10.x ............................................................... 479Syslog log source parameters for F5 Networks BIG-IP APM......................................................479

Configuring F5 Networks BIG-IP ASM...............................................................................................480Syslog log source parameters for F5 Networks BIG-IP ASM......................................................480

F5 Networks BIG-IP LTM...................................................................................................................481Syslog log source parameters for F5 Networks BIG-IP LTM...................................................... 481Configuring syslog forwarding in BIG-IP LTM .............................................................................481Configuring Remote Syslog for F5 BIG-IP LTM V11.x to V14.x ..................................................482Configuring Remote Syslog for F5 BIG-IP LTM V10.x ................................................................ 482Configuring Remote Syslog for F5 BIG-IP LTM V9.4.2 to V9.4.8................................................483

F5 Networks FirePass........................................................................................................................ 483Configuring syslog forwarding for F5 FirePass............................................................................ 483Syslog log source parameters for F5 Networks FirePass............................................................484

Chapter 58. Fair Warning.........................................................................................................................485Log File log source parameters for Fair Warning...............................................................................485

Chapter 59. Fasoo Enterprise DRM......................................................................................................... 487Configuring Fasoo Enterprise DRM to communicate with QRadar................................................... 491

Chapter 60. Fidelis XPS........................................................................................................................... 493Configuring Fidelis XPS...................................................................................................................... 493Syslog log source parameters for Fidelis XPS...................................................................................494

Chapter 61. FireEye................................................................................................................................. 495Configuring your FireEye system for communication with QRadar..................................................497Configuring your FireEye HX system for communication with QRadar............................................ 497

Chapter 62. Forcepoint............................................................................................................................499FORCEPOINT Stonesoft Management Center...................................................................................499

Configuring FORCEPOINT Stonesoft Management Center to communicate with QRadar.........500Configuring a syslog traffic rule for FORCEPOINT Stonesoft Management Center....................501

Forcepoint Sidewinder....................................................................................................................... 502Forcepoint Sidewinder DSM specifications................................................................................. 503Configure Forcepoint Sidewinder to communicate with QRadar................................................503Sample event messages...............................................................................................................503

Forcepoint TRITON............................................................................................................................ 504Configuring syslog for Forcepoint TRITON.................................................................................. 505Syslog log source parameters for Forcepoint TRITON................................................................505

Forcepoint V-Series Data Security Suite........................................................................................... 506Configuring syslog for Forcepoint V-Series Data Security Suite................................................. 506

xii

Syslog log source parameters for Forcepoint V-Series Data Security Suite............................... 506Forcepoint V-Series Content Gateway.............................................................................................. 507

Configure syslog for Forcepoint V-Series Content Gateway....................................................... 507Configuring the Management Console for Forcepoint V-Series Content Gateway.....................507Enabling Event Logging for Forcepoint V-Series Content Gateway............................................ 508Syslog log source parameters for Forcepoint V-Series Content Gateway..................................508Log file protocol for Forcepoint V-Series Content Gateway........................................................ 509

Chapter 63. ForeScout CounterACT.......................................................................................................511Syslog log source parameters for ForeScout CounterACT................................................................511Configuring the ForeScout CounterACT Plug-in................................................................................ 511Configuring ForeScout CounterACT Policies..................................................................................... 512

Chapter 64. Fortinet FortiGate Security Gateway.................................................................................. 515Configuring a syslog destination on your Fortinet FortiGate Security Gateway device................... 516Configuring a syslog destination on your Fortinet FortiAnalyzer device.......................................... 516

Chapter 65. Foundry FastIron ................................................................................................................ 519Configuring syslog for Foundry FastIron........................................................................................... 519Syslog log source parameters for Foundry FastIron.........................................................................519

Chapter 66. FreeRADIUS.........................................................................................................................521Configuring your FreeRADIUS device to communicate with QRadar............................................... 521

Chapter 67. Generic.................................................................................................................................523Generic Authorization Server.............................................................................................................523

Configuring event properties .......................................................................................................523Syslog log source parameters for Generic Authorization Server................................................ 525

Generic Firewall................................................................................................................................. 525Configuring event properties .......................................................................................................525Syslog log source parameters for Generic Firewall.....................................................................527

Chapter 68. genua genugate................................................................................................................... 529Configuring genua genugate to send events to QRadar....................................................................530

Chapter 69. Google G Suite Activity Reports.......................................................................................... 531Google G Suite Activity Reports DSM specifications.........................................................................531Configuring Google G Suite Activity Reports to communicate with QRadar.................................... 532Assign a role to a user........................................................................................................................ 532Create a service account with viewer access....................................................................................534Grant API client access to a service account.................................................................................... 534Google G Suite Activity Reports log source parameters...................................................................535Sample event messages.................................................................................................................... 536Troubleshooting Google G Suite Activity Reports.............................................................................537

Invalid private keys...................................................................................................................... 537Authorization errors......................................................................................................................538Invalid email or username errors.................................................................................................538Invalid JSON formatting............................................................................................................... 539Network errors..............................................................................................................................539Google G Suite Activity Reports FAQ............................................................................................539

Chapter 70. Great Bay Beacon................................................................................................................541Configuring syslog for Great Bay Beacon.......................................................................................... 541Syslog log source parameters for Great Bay Beacon........................................................................541

Chapter 71. HBGary Active Defense...................................................................................................... 543Configuring HBGary Active Defense.................................................................................................. 543Syslog log source parameters for HBGary Active Defense............................................................... 543

xiii

Chapter 72. H3C Technologies...............................................................................................................545H3C Comware Platform..................................................................................................................... 545

Configuring H3C Comware Platform to communicate with QRadar........................................... 546

Chapter 73. Honeycomb Lexicon File Integrity Monitor (FIM)..............................................................547Supported Honeycomb FIM event types logged by QRadar.............................................................547Configuring the Lexicon mesh service...............................................................................................548Syslog log source parameters for Honeycomb Lexicon File Integrity Monitor................................ 548

Chapter 74. Hewlett Packard (HP)..........................................................................................................551HP Network Automation.................................................................................................................... 551Configuring HP Network Automation Software to communicate with QRadar................................552HP ProCurve....................................................................................................................................... 553

Syslog log source parameters for HP ProCurve...........................................................................553HP Tandem.........................................................................................................................................554Hewlett Packard UniX (HP-UX)..........................................................................................................554

Syslog log source parameters for Hewlett Packard UniX (HP-UX)............................................. 555

Chapter 75. Huawei................................................................................................................................. 557Huawei AR Series Router................................................................................................................... 557

Syslog log source parameters for Huawei AR Series Router.......................................................557Configuring Your Huawei AR Series Router................................................................................. 558

Huawei S Series Switch......................................................................................................................558Syslog log source parameters for Huawei S Series Switch......................................................... 559Configuring Your Huawei S Series Switch....................................................................................559

Chapter 76. HyTrust CloudControl..........................................................................................................561Configuring HyTrust CloudControl to communicate with QRadar.................................................... 562

Chapter 77. IBM .....................................................................................................................................563IBM AIX.............................................................................................................................................. 563

IBM AIX Server DSM overview..................................................................................................... 563IBM AIX Audit DSM overview....................................................................................................... 564

IBM i................................................................................................................................................... 569Configuring IBM i to integrate with IBM QRadar......................................................................... 570Manually extracting journal entries for IBM i...............................................................................571Pulling Data Using Log File Protocol............................................................................................ 572Configuring Townsend Security Alliance LogAgent to integrate with QRadar............................573

IBM BigFix.......................................................................................................................................... 573IBM BigFix Detect.............................................................................................................................. 574IBM Bluemix Platform........................................................................................................................574

Configuring IBM Bluemix Platform to communicate with QRadar..............................................575IBM CICS............................................................................................................................................ 577

Create a log source for near real-time event feed.......................................................................578Log File log source parameter......................................................................................................578

IBM Cloud Identity.............................................................................................................................582IBM Cloud Identity DSM specifications....................................................................................... 583Configuring IBM Cloud Identity server to send events to QRadar.............................................. 583IBM Cloud Identity Event Service log source parameters for IBM Cloud Identity.....................583Sample event messages...............................................................................................................584

IBM DataPower.................................................................................................................................. 587Configuring IBM DataPower to communicate with QRadar........................................................ 588

IBM DB2............................................................................................................................................. 589Create a log source for near real-time event feed.......................................................................590Log File log source parameter......................................................................................................590Integrating IBM DB2 Audit Events............................................................................................... 594Extracting audit data for DB2 v8.x to v9.4................................................................................... 595

xiv

Extracting audit data for DB2 v9.5...............................................................................................595IBM Federated Directory Server ....................................................................................................... 596

Configuring IBM Federated Directory Server to monitor security events...................................597IBM Fiberlink MaaS360..................................................................................................................... 597

IBM Fiberlink REST API log source parameters for IBM Fiberlink MaaS360............................. 598IBM Guardium.................................................................................................................................... 599

Creating a syslog destination for events......................................................................................599Configuring policies to generate syslog events........................................................................... 600Installing an IBM Guardium Policy ..............................................................................................601Syslog log source parameters for IBM Guardium........................................................................601Creating an event map for IBM Guardium events....................................................................... 602Modifying the event map.............................................................................................................. 602

IBM IMS..............................................................................................................................................603Configuring IBM IMS ....................................................................................................................604Log File log source parameters for IBM IMS............................................................................... 606

IBM Informix Audit.............................................................................................................................606IBM Lotus Domino..............................................................................................................................607

Setting Up SNMP Services............................................................................................................607Setting up SNMP in AIX................................................................................................................ 607Starting the Domino Server Add-in Tasks....................................................................................608Configuring SNMP Services.......................................................................................................... 608SNMPv2 log source parameters for IBM Lotus Domino.............................................................. 609

IBM Privileged Session Recorder...................................................................................................... 609Configuring IBM Privileged Session Recorder to communicate with QRadar............................ 611JDBC log source parameters for IBM Privileged Session Recorder............................................611

IBM Proventia.....................................................................................................................................611IBM Proventia Management SiteProtector.................................................................................. 611JDBC log source parameters for IBM Proventia Management SiteProtector.............................612IBM ISS Proventia ........................................................................................................................613

IBM QRadar Packet Capture..............................................................................................................614Configuring IBM QRadar Packet Capture to communicate with QRadar....................................615Configuring IBM QRadar Network Packet Capture to communicate with QRadar.....................616

IBM RACF........................................................................................................................................... 616Log File log source parameter......................................................................................................617Create a log source for near real-time event feed.......................................................................621Integrate IBM RACF with IBM QRadar by using audit scripts.....................................................622Configuring IBM RACF that uses audit scripts to integrate with IBM QRadar............................622

IBM SAN Volume Controller...............................................................................................................624Configuring IBM SAN Volume Controller to communicate with QRadar.................................... 626

IBM Security Access Manager for Enterprise Single Sign-On...........................................................626Configuring a log server type........................................................................................................626Configuring syslog forwarding......................................................................................................627Syslog log source parameters for IBM Security Access Manager for Enterprise Single Sign-

On.............................................................................................................................................627IBM Security Access Manager for Mobile..........................................................................................628

Configuring IBM Security Access Manager for Mobile to communicate with QRadar................630Configuring IBM IDaaS Platform to communicate with QRadar................................................. 631Configuring an IBM IDaaS console to communicate with QRadar..............................................631

IBM Security Directory Server........................................................................................................... 631IBM Security Directory Server DSM specifications......................................................................632Configuring IBM Security Directory Server to communicate with QRadar................................. 632Syslog log source parameters for IBM Security Directory Server .............................................. 633

IBM Security Identity Governance.................................................................................................... 634JDBC log source parameters for IBM Security Identity Governance............................................... 636IBM Security Identity Manager..........................................................................................................637

IBM Security Identity Manager JDBC log source parameters for IBM Security IdentityManager................................................................................................................................... 637

IBM Security Network IPS (GX)......................................................................................................... 641

xv

Configuring your IBM Security Network IPS (GX) appliance for communication with QRadar..642Syslog log source parameters for IBM Security Network IPS (GX).............................................642

IBM QRadar Network Security XGS................................................................................................... 643Configuring IBM QRadar Network Security XGS Alerts............................................................... 643Syslog log source parameters for IBM QRadar Network Security XGS.......................................644

IBM Security Privileged Identity Manager.........................................................................................645Configuring IBM Security Privileged Identity Manager to communicate with QRadar...............648Sample event message................................................................................................................ 649

IBM Security Trusteer Apex Advanced Malware Protection.............................................................649Configuring IBM Security Trusteer Apex Advanced Malware Protection to send syslog

events to QRadar..................................................................................................................... 653Configuring IBM Security Trusteer Apex Advanced Malware Protection to send TLS Syslog

events to QRadar..................................................................................................................... 654Configuring a Flat File Feed service............................................................................................. 656

IBM Security Trusteer Apex Local Event Aggregator........................................................................ 657Configuring syslog for Trusteer Apex Local Event Aggregator.................................................... 657

IBM Sense.......................................................................................................................................... 658Configuring IBM Sense to communicate with QRadar................................................................ 659

IBM SmartCloud Orchestrator........................................................................................................... 659Installing IBM SmartCloud Orchestrator..................................................................................... 660IBM SmartCloud Orchestrator log source parameters................................................................660

IBM Tivoli